The Extortion Aftermath: Examining the Largest Data Breaches and Their Cybercrime Toll

Data breaches are a growing issue for both companies and their clientele. There were 3,205 data breaches in 2023, over 1,400 more than the year before⁽¹⁾. That same year, the IC3 received 880,418 reports of online fraud resulting in damages eclipsing $12.5 billion, both rising from 2022⁽²⁾.  

While they’re not the only factors at play, these numbers suggest a congruence between data breaches and cyber extortion. Individuals can face difficulties expanding far past the initial breach and companies can endure irreparable reputation damage and hefty legal fees. As such, it’s important for both consumers and corporations to examine past breaches to avoid the same mistakes. 

Ashley Madison (2015): The Exposure of Infidelity 

Likely the most well-covered data breach, adulterous dating platform Ashley Madison suffered a massive data breach in 2015 that compromised the private data of its roughly 37 million users⁽³⁾. This included account data such as emails, phone numbers, addresses, transaction history, and activity on the platform. Additionally, the hackers published information regarding Ashley Madison’s company servers, employee network, and financial records. 

The Breach and Its Impact

The hacking group, going by the self-assigned “Impact Team” moniker, claimed the motivation of the breach was Ashley Madison’s falsely advertised “full delete” service. The company charged users a $19 fee to allegedly scrub the very data that was exfiltrated by the Impact Team. 

The taboo sentiment around the promiscuous activity of the platform’s participants resulted in severe blackmail and reputational damage of the individuals featured in the breach. Users ranging from public figures to everyday people faced backlash from the public and are still plagued with potential mental and monetary mistreatment to this day. 

Cyber Extortion and Blackmail

The combination of private credentials being leaked paired with the desired anonymity of users were a powerful mix for cybercriminals. With this private data available online after the breach, scammers now had more than enough to craft phishing attacks, blackmail their targets, and even commit sextortion. 

Many of these attacks were based around revealing the user’s infidelity to their family, friends, or professional colleagues if certain demands were not met. The behavior engaged in on the platform makes sextortion scams seem more believable. In some instances, the spouses of users were contacted directly with extortion threats of exposing their partner’s behavior. 

The Legal and Personal Ramifications

In 2017, Ashley Madison had to pay a settlement of $11.2 million to users of the website on top of being penalized $1.6 million by the FTC⁽⁴⁾. On top of the financial loss, the company was required to discontinue their deceptive practices and develop a stronger security system. 

As for users, the lambasting of their personal lives is long-lasting and potentially limitless. Many marriages ended and jobs because of the breach⁽⁵⁾. Even five years later, users were bombarded with sextortion email scams in such high quantities that it made national headlines⁽⁶⁾. 

Yahoo (2013-2014): The Massive Account Compromise 

Yahoo suffered two of the top ten data breaches of the 21^st century within a two-year span, one of which taking the top spot on that list⁽⁷⁾. In 2013, an infiltration of Yahoo’s servers compromised the account data of all 3 billion active accounts at the time. 

The next year, Yahoo would again be the target of a data breach, this time a speculated state-sponsored attack that accessed the credentials of 500 million users. Yahoo would first publicly address this second breach nearly two years after discovery on September 22, 2016. Roughly three months later and three years after its occurrence, Yahoo reported the 2013 breach. 

The Scale of the Breach

The two breaches together impacted over 40% of the world population and went undisclosed for at least a year and a half after a potential network intrusion had been detected. Coincidentally, the announcement came months after an agreement was made to sell the company to Verizon, who claimed they were unaware of the breach until two days prior to the public announcement⁽⁸⁾. 

The data leaked included names, emails, phone numbers, birthdates, passwords, security question answers, and unique cryptographic values assigned to each account. Yahoo’s investigation determined that credit and banking data was not compromised, but the breach provided cybercriminals with more than enough ammunition to carry out their attacks. 

The Rise of Credential Stuffing 

With access to account emails and their corresponding cryptographic values, the hackers were able to generate cookies through an installed script which granted them access to accounts with and without passwords. 

Credentials like this create virtually endless possibilities for cybercriminal activity. Any account registered to the compromised emails could be accessed via password resets, meaning the hackers could commit identity theft and financial extortion even without banking information being stolen in the breach. 

Extortion and Phishing Campaigns

The FBI believes the second breach was initiated through a spear phishing attack targeting Yahoo employee credentials⁽⁹⁾. Furthermore, one of the hackers used the extracted contact information from at least 30 million users to perpetuate further spam and phishing schemes⁽¹⁰⁾. 

Additionally, the stolen data was sold on the dark web. This perpetuates the threat of further phishing attacks and expands the potential for extortion of the victims, even if they took the necessary action to secure their Yahoo accounts. 

Equifax (2017): The Credit Data Catastrophe

Over the course of the beginning half of 2017, Equifax suffered a data breach containing the personally identifiable information of over 147 million American citizens. As one of the three credit bureaus in the country, their data contained information such as names, addresses, birth dates, driver’s license numbers, social security numbers, and credit card information. 

The Breach and Its Sensitivity

Hackers exploited a vulnerability in software used by Equifax to initiate the breach. Equifax had two chances to patch this vulnerability. The first was when they were alerted of the outdated software by Homeland Security and internal patching was assigned but not completed.  

Less than a week later, Equifax’s IT department ran a security scan that failed to pick up the vulnerable version of the software. Action at this point would’ve come after the initial intrusion, which came two days after the U.S. CERT alert, but it would’ve helped mitigate the extent of the breach⁽¹¹⁾. 

The hackers initially attacked Equifax’s credit report dispute portal, giving them access to the data contained in these reports and an in to additional databases. Security measures were in place to encrypt this data, but Equifax failed to renew the certificate. This meant that the company was unaware of the extraction of data that could potentially lead to the identity theft and financial fraud of hundreds of millions of people⁽¹²⁾.  

The Use of Stolen Data for Extortion 

While the hackers made out with a massive amount of personal information which could’ve perpetuated a large-scale extortion scheme, the breached data never released to the dark web and no reported fraud or identity theft has been traced back to the breach⁽¹²⁾. 

Instead, it was determined that four Chinese military-backed hackers carried out the attack⁽¹⁴⁾, with many experts speculating that the motivation was espionage rather than extortion. Regardless, it was confirmed that sensitive credit information of over 40% of the United States was stolen, creating the potential for such criminal activity. 

The Legal and Regulatory Fallout

In 2019, Equifax agreed to a settlement of at least $575 million that could potentially reach up to $700 million. The agreement included $300 million for their consumers with the potential to add an additional $125 million if needed. Additionally, $175 million was paid to the states and territories impacted and $100 million to the CFPB⁽¹⁵⁾. 

Equally as big as the settlement costs was the reputational damage sustained due to the breach. Equifax’s mishandling of the patching process compiled by their erroneous navigation after discovering the breach caused massive distrust.  

This included creating a new domain for information on the breach that resembled a phishing site, social media posts that directed to the wrong site when there was already suspicion, and language that implied consumers would waive their lawsuit rights if they checked to see if they were affected⁽¹²⁾. 

Marriott (2014-2018): The Hotel Guest Data Leak

Marriott suffered a data breach of the guest reservation system of their subsidiary chain, Starwood, which spanned the course of four years and dated back two years before the acquisition. The breach demonstrated both poor security standards by Starwood and a lack of due diligence on the part of Marriott prior to the merger.  

The Scope of the Breach

Initial estimates stated that the breach impacted 500 million customers, although Marriott would later update this figure to “less than 383 million”⁽¹⁶⁾. The information accessed by hackers included names, addresses, emails, phone numbers, credit card information, and passport numbers. 

The Use of Stolen Data for Targeted Attacks 

Similar to the Equifax, Marriott was breached by a Chinese state-sponsored team of hackers. Consequently, the data was not posted for sale on the dark web, meaning it was likely stolen for government surveillance of foreign nations rather than for online blackmail and extortion. 

Nonetheless, the theft of that data and the fact that it was initially stored as insecurely as it was leaves customers at the will of whoever accessed them. The potential for identity theft and travel fraud exists as long as consumer data is in the hands of an unauthorized party. 

The International Implications

Many international travelers were forced to acquire new passports after the breach, some of which Marriott offered to pay for if they could prove their passport numbers had been used to carry out fraudulent activity⁽¹⁷⁾. 

Additionally, the international operations of the Starwood chain of hotels compounded the difficulty of the investigation, with Numerous national intelligence agencies needing to cooperate. 

Capital One (2019): The Cloud Data Misconfiguration 

Capital One had data of over 100 million customers breached by a former amazon employee who accessed customer data hosted on an Amazon Web Services cloud. The hacker gained access to personal information including names, addresses, credit data, and social security numbers. Individuals impacted included customers dating all the way back to 2005⁽¹⁸⁾. 

The Breach and Its Technical Cause

As mentioned, the Capital One breach was carried out by former Amazon employee Paige Thompson. She was able to access the cloud storage by exploiting a misconfigured web application firewall.  

It was initially suspected that she used insider knowledge to circumvent security detection. However, Thompson actually employed server side request forgery, a well-known hacking strategy, to trick the already-erred firewall into running unpermitted commands⁽¹⁹⁾. 

The Use of Stolen Data for Financial Extortion

Legal defense argued that Thompsons intentions were to collect a bounty as a “white hat” hacker simply showing Capital One the vulnerabilities of their security through the breach. Regardless of the intention, the breach of the bank holding company exposed its consumers to potential blackmail, financial extortion, and identity theft. 

The Importance of Cloud Security

According to cybersecurity experts, the method used by Thompson to exploit vulnerabilities and gain unauthorized access to consumer data could be used to breach any organization that uses public storage clouds⁽²⁰⁾. 

Because of this, robust cloud security measures should be a mandatory practice for the networks of all companies. Careful consideration needs to go into the decision to use a public cloud storage provider, and regular penetration testing and security audits should be conducted. 

Prevention and Mitigation

Whether a data breach has occurred and been responded to, or you’ve avoided them to this point, preventative action is paramount to successful business operations. Taking the following actions could save the reputation and finances of both you and your clients. 

• Strengthening Data Security: Organizations need to invest heavily into both their prevention and reaction systems in place for data breaches. Proper data encryption, access controls, and regular security audits can ensure your security is as strong as possible. However, a breach can happen to even the most secure system, so having a robust response plan can help prevent damage to clients, reputation, and finances. 

• Educating Users About Phishing and Extortion: Security systems are only as sufficient as the individuals working within them. One user can compromise the networks of multiple corporations simply by clicking the wrong attachment in an email. Therefore, it is as important to conduct regular training on phishing and extortion tactics as it is to invest in and continually update your security software. 

• Working with Law Enforcement: Working in ordinance with law enforcement can better position you to successfully mitigate a data breach and follow the proper response regulations to limit litigation costs. An example of the consequences of not doing so can be seen in the Equifax case, in which Homeland Security’s assistance was rejected and the resulting response was heavily scrutinized and sanctioned massive settlement costs.  

• Consulting Cybersecurity Professionals: Cybersecurity firms can help you investigate and document a data breach, discover the vulnerabilities in your system, and develop a response plan. While this may be your first experience with this kind of cyberattack, these organizations specialize in detecting, containing, and preventing breaches. 

The Evolving Landscape 

As new technology releases and becomes more accessible to the general public, the ability to commit large-scale cybercrime becomes more widespread. With programs such as hacking kits available online, anyone with a device can exploit system vulnerabilities. 

Just as the advancement of apparatuses sparks the development of new criminal strategies, it also enables cybersecurity professionals such as the ones at DFC to better uncover their illicit activities. 

DFC can help both companies and consumers deal with the fallout of a data breach. We can contain the initial breach, discover which points were exploited, and prevent future attacks through ongoing monitoring and regular auditing. Additionally, we can scour the internet to find any areas where client data may have been exposed and assist with removal. 

If you’ve suffered a data breach, had your personal information compromised in a breach, or want to position yourself to prevent a future breach, DFC has you covered. Reach out today to speak with one of our specialists and see how we can help you. 

Sources: 

1. Number of data breaches and victims U.S. 2023 | Statista
2. FBI Releases Internet Crime Report — FBI 
3. The Ashley Madison Data Dump, Explained – The New York Times 
4. Judge OKs $11.2M settlement for hacked Ashley Madison users | AP News 
5. The Story Behind Ashley Madison: Sex, Lies, & Scandal | TIME 
6. Ashley Madison Hack Returns To ‘Haunt’ Its Victims: 32 Million Users Now Watch And Wait 
7. The 18 biggest data breaches of the 21st century | CSO Online 
8. Yahoo ‘state’ hackers stole data from 500 million users – BBC News 
9. Here’s how the FBI says Russian hackers stole Yahoo account secrets | CBC News 
10. Charges Announced in Massive Cyber Intrusion Case — FBI 
11. How the Equifax hack happened, according to its CEO | PBS News 
12. Equifax Data Breach Case Study: Causes and Aftermath. 
13. Equifax mystery: Where is the data? 
14. Chinese Hackers Charged in Equifax Breach — FBI 
15. Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach | Federal Trade Commission 
16. Marriott says less than 383 million guests impacted by breach, not 500 million | ZDNET 
17. Marriott to reimburse some guests for new passports after massive data breach | ZDNET 
18. Capital One data breach: A hacker gained access to 100 million credit card applications and accounts | CNN Business 
19. What We Can Learn from the Capital One Hack – Krebs on Security 
20. What Happens Next After the Massive Capital One Data Breach – CPO Magazine 

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.